Wednesday, September 10, 2014

Android Forensics : In case you are left with no toolkits for an android investigation - what next ?


 I was very intrigued on what a forensic investigator would do if we didn't have the forensic toolkits which we are all gifted with.
The following is an quick action plan for such a situation:
1.   Basic Pointers to start with:
      a. Network Isolation of the device
      b. Set the drivers right for the device
http://developer.android.com/tools/extras/oem-usb.html#InstallingDriver
The above link is a heaven for most android device drivers
      c. Enabling the USB debugging on the phone and “stay awake” settings
2.   Get the Android SDK  (http://developer.android.com/sdk/index.html)
Getting the SDK installed for the first time is quite a challenge and won’t work well on PwC provided Laptops with restrictions. Also you would ideally need open internet to run the updated packages on the SDK toolkit (Provided you are using them).
I am not going into details about getting your phone connected to the SDK, but in case you are stuck there are many articles covering that bit for any help.
3.   Using ADB to copy files to from your android device
There are several applications that can connect your devices using protocols such as DAV, SMB, etc.  However, one quick way I relyed on copying data from the device connected was via the USB to a computer is by using the adb tool. 
The adb allows you to send commands to your Android device, pull and push files to it, gives shell access to the Android device and allows you to read information from your device.
If you have several devices running you can issue commands to one individual device.
# Lists all the devices attached to SDK
adb devices
#Result
List of devices attached
emulator-5539 attached
emulator-5540 attached
# Issue a command to a specific device
adb -s emulator-5540 shell
To copy a file from the computer to an android device connected via usb, use the following command:
      o          adb push /path/to/local/file /mnt/sdcard/path/to/file
4.  Using the ADB dumpsys Toolkit 
The adb dumpsys command allows you to retain information about the Android system and the running applications.
i.          To extract information about memory allocation
If you want see the info for all processes, use
o    adb shell dumpsys meminfo
To get currently memory consumption of an application you can use the following command
o    adb shell dumpsys meminfo <package.name>
ii.        CPU Information
o      adb shell dumpsys cpuinfo
iii.       To extract Dump of service list
o      adb shell service list
iv.       wifi Information
o      adb shell dumpsys wifi
v.         To extract Dump of services
This asks the activity manager to print a dump of its current state. The first part of that is the complete activity history, organized by task.
o      adb shell dumpsys activity
vi.       Other services
The following are a whole host of services which could be used along in the following syntax
o    adb shell dumpsys <service>
The following are the services available from Dumpsys toolkit:
o accessibility
o media.audio_policy
o account
o media.camera
o activity
o media.player
o alarm
o media.yamahaplayer
o apn_settings_policy
o meminfo
o application_policy
o mini_mode_app_manager
o appwidget
o misc_policy
o audio
o motion_recognition
o backup
o mount
o battery
o netpolicy
o batteryinfo
o netstats
o bluetooth
o network_management
o bluetooth_a2dp
o notification
o bluetooth_avrcp
o package
o bluetooth_policy
o password_policy
o browser_policy
o permission
o clipboard
o phone
o clipboardEx
o phone_restriction_policy
o connectivity
o phoneext
o content
o power
o country_detector
o remoteinjection
o cpuinfo
o restriction_policy
o CustomFrequencyManagerService
o roaming_policy
o date_time_policy
o samplingprofiler
o device_info
o search
o device_policy
o SecTVOutService
o devicestoragemonitor
o security_policy
o DirEncryptService
o sensorservice
o diskstats
o shutdownlogger
o drm.drmManager
o simphonebook
o dropbox
o statusbar
o eas_account_policy
o SurfaceFlinger
o email_account_policy
o telephony.registry
o enterprise_policy
o textservices
o enterprise_vpn_policy
o throttle
o entropy
o tvoutservice
o firewall_policy
o TvoutService_C
o FMPlayer
o uimode
o gfxinfo
o usagestats
o hardware
o usb
o input_method
o vibrator
o iphonesubinfo
o voip
o isms
o vpn_policy
o location
o wallpaper
o location_policy
o wifi
o mdm.remotedesktop
o wifi_policy
o media.audio_flinger
o wifip2p

o window

Work Cited:
·    Hoog, A. (2011). Android forensics, Investigation, Analysis and Mobile security for Google Android. Waltham, MA: Syngress.
·    https://source.android.com/devices/tech/input/dumpsys.html
      ·    http://www.vogella.com/tutorials/AndroidCommandLine/article.html
·           http://log.amitshah.net/2012/05/using-adb-to-copy-files-to-from-your-android-device/
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)